FINRA · 3110 · 4511 · 2210 · RN 25-07

The supervisory system for AI use at your broker-dealer.

Capture every prompt your reps send. Surface flagged communications to your designated principal. Hand your FINRA examiner a signed packet that maps to RN 25-07 line by line.

Book a 15-minute call See how it maps to your WSPs

Why now

FINRA has named AI. Your next exam will, too.

The supervision question isn't whether your reps use AI. It's what you can show the examiner when they ask how you supervise it.

FINRA Regulatory Notice 25-07

The first AI-specific guidance

Capture prompt and output logs, track model versions, and supervise AI-assisted communications. RN 25-07 puts AI squarely inside your Rule 3110 supervisory program and your Rule 4511 books-and-records obligation.

2025 FINRA Annual Report

AI is now a stated exam priority

FINRA's 2025 Annual Regulatory Oversight Report flagged AI across cybersecurity, supervision, and communications. Expect AI questions in the next request letter, not the one after that.

Customer-complaint exposure

A 2210 violation with no record

An AI-drafted message that ships with a performance claim or an unbalanced statement is a Rule 2210 violation. If the rep ran the prompt in a private ChatGPT tab, there's nothing to show when the customer complaint lands.

Books and records · Rule 4511

What your examiner sees

Every AI interaction your reps had — timestamped, attributed to a rep and a branch, and tamper-proof. Filterable by branch / OSJ, content category, and disposition. Exportable for the 8210 request.

Audit Trail — Request Log

Branch / OSJ: All ▾

Content: All categories ▾

Disposition: All ▾

Date: Last 7 days ▾

🔍 Search prompts…

Timestamp Branch / OSJ Rep Content Model Tokens Status

14:32:07 OSJ-001 NYC j.martinez Research note draft GPT-4 2,847 Clean

14:31:44 OSJ-001 NYC a.chen Reg BI rationale GPT-4o 3,102 Review

14:31:12 OSJ-002 BOS s.patel Client suitability memo Claude — Blocked

14:30:38 OSJ-002 BOS m.kumar Outside-RIA correspondence GPT-4o 1,203 Pending Disposition

14:29:51 OSJ-001 NYC r.johnson Customer complaint response Claude 4,180 Clean

Showing 5 of 14,200 interactions · Last 7 days

Export for 8210 request →

Exam packet · Rule 8210 / 4511

One zip. Everything the request letter asks for.

When the 8210 request letter lands, you don't want to spend two weeks assembling a binder. TinyFox compiles your AI evidence into a single signed packet — cover letter, audit trail, principal review log, WSP excerpts, rep attestations, and blocked-request register — ready to deliver.

Every artifact is tamper-evident, hash-chained, and signed by the CCO. The manifest maps each file to the FINRA rule it answers.

tinyfox-finra-packet-2026-Q1.zip

tinyfox-finra-packet-2026-Q1/

├─ cover_letter.pdf · signed by CCO

├─ audit_trail.csv · 14,200 interactions

├─ principal_review.csv · Rule 3110

├─ wsp_excerpts/

├─ ai_supervision.pdf

└─ communications_2210.pdf

├─ rep_attestations.csv

├─ blocked_requests.csv

└─ MANIFEST.json · SHA-256 hashes

Signed by CCO · Tamper-evident 6-year retention per Rule 4511

Principal review · Rule 3110 (incl. RN 25-07)

A queue your designated principal can actually work.

Flagged interactions surface in a supervisory queue, attributed to a rep and a rule. Your Series 24 principal sees what needs eyes — not 14,200 rows of noise — and each disposition is recorded for the next exam.

Supervisory Queue

Flagged Rep Rule Reviewer Disposition

PII near-miss j.martinez Rule 4511 / PII Principal r.johnson Resolved

Performance claim a.chen Rule 2210 Principal r.johnson Escalated

MNPI keyword s.patel Rule 2010 / 10b-5 pending Pending

47 flagged this week · 44 disposed · 3 pending Avg time-to-disposition: 6.2 hrs

Sensitive data detected in prompt

SSN (***-**-4832) found in request from branch NYC-001 · gpt-4o

Request blocked

Prompt never reached the model · policy: block-pii-critical

Incident documented · Audit log updated

Full context logged · routed to designated principal · rep notified

Sensitive data · PII / MNPI

Sensitive data caught and blocked

If a client SSN, account number, or piece of MNPI ends up in a prompt, that's a 4511 violation and a customer-complaint risk with no record. No evidence it happened, no proof you tried to stop it, and nothing for your designated principal to bring to the next exam.

TinyFox scans every prompt before it reaches the model — SSNs, account numbers, client PII, MNPI keywords, and credentials. Requests are blocked in real time, and every incident is logged to a tamper-proof audit trail with the rep, the branch, and the model that was called.

Supervisory procedures · Rule 3110

Your WSPs are a PDF nobody reads.
TinyFox enforces them.

Every broker-dealer has WSPs covering AI. Almost none can enforce them at the API layer. TinyFox does — before the data ever leaves your network — and every enforcement event lands in the audit trail your examiner asks for under Rule 3110.

Block sensitive data in prompts

Requests containing SSNs, account numbers, client PII, or MNPI keywords are caught and blocked before they reach the model. Each block is logged for the supervisory record.

Restrict models by branch

OSJ-001 Research can run GPT-4. OSJ-002 Client Service is limited to Claude Haiku. Compliance gets read-only. The supervisory map is set in your WSPs and enforced at the proxy.

Budget guardrails by branch

Set spend ceilings per branch / OSJ. Slack alerts on spikes. Breaches feed straight into your supervisory queue, not a month-end invoice surprise.

Communications · Rule 2210

Catch a 2210 violation before it ships.

AI is great at writing client-facing copy. It's also great at writing performance claims, predictions, and unbalanced statements that put your firm on the wrong side of Rule 2210.

TinyFox runs pre-send checks on AI-drafted retail communications — performance claims, predictions, exaggerated or unbalanced statements, and missing disclosures — and routes anything flagged to your designated principal before it leaves the building.

Communications Inspector

AI-drafted output

“Our small-cap strategy consistently outperforms the index and is guaranteed to deliver superior returns over the long term.”

Rule 2210 issues — routed to principal

Performance claim Prediction Unbalanced statement

OSJ-001 NYC · rep a.chen Held for principal review

Cost attribution

Every dollar of AI spend, attributed by branch.

When your COO asks how AI spend tracks against the operating budget, you need an answer — by branch, content category, and provider. Not a guess. Not a single line item on an OpenAI invoice.

TinyFox attributes every request automatically, so cost is traceable to a rep and a branch, anomalies are flagged, and your books reflect what each OSJ actually used AI for.

Spend by branch

Feb 2026

OSJ-001 Research $1,200

OSJ-002 Client Service $640

Operations $380

Compliance (read-only) $180

4 branches · Feb 2026 $2,400

Built for the people who own AI risk at your broker-dealer

Chief Compliance Officer

Show your next FINRA examiner how AI is supervised

Complete books and records under Rule 4511, principal review log under Rule 3110, and communications controls under Rule 2210 — all generated from your firm's actual rep activity, not a spreadsheet assembled the week before the request letter lands.

Designated Principal / Series 24

A supervisory queue you can actually work

AI-assisted client communications, market commentary, and research notes flow through one place. Performance claims flagged, sensitive data blocked, dispositions captured — not buried in a dozen private ChatGPT tabs across the branches you supervise.

Chief Operating Officer

One source of truth for AI tools, costs, and risk

Spend by branch / OSJ, model, and provider. WSPs enforced at the API layer. Vendor sprawl replaced with a single line item, a single audit trail, and a single place your CCO can answer to.

Regulatory mapping

Mapped to your WSPs

Each TinyFox capability ties back to a specific FINRA rule your supervisory program already operates under. So when the examiner asks how you supervise AI, you have a real answer — in the rule language your WSPs already use.

TinyFox capability FINRA rule

Tamper-proof audit trail Rule 4511 — Books and Records

Exam packet export Rule 8210 — Provision of information; Rule 4511 retention

Principal review workflow Rule 3110 — Supervision (incl. RN 25-07)

Communications checks Rule 2210 — Communications with the Public

Sensitive data blocking (PII / MNPI) Rule 2010 — Standards of Commercial Honor; 10b-5

Model and branch policies Rule 3110 — Supervisory procedures

Sources: FINRA.org — Rules & Guidance · FINRA Regulatory Notice 25-07

Dually registered firm (both BD and RIA)? Book a call — we'll walk through both rule sets together.